hi Sumit,

On Fri, Nov 9, 2018 at 12:53 PM Sumit Bose via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

I would suggest to first check if SSSD can see the certificate as well.
For this please call:

/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre

At the end you should see the base64 enoded certificate with some other
Smartcard details. If not the debug output might help to figure out why
the certificate was not found.

ok, it does not see anything:

$ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre
(Fri Nov 9 12:58:37:924551 2018) [[sssd[p11_child[6490]]]] [main] (0x0400): p11_child started.
(Fri Nov 9 12:58:37:924597 2018) [[sssd[p11_child[6490]]]] [main] (0x2000): Running in [pre-auth] mode.
(Fri Nov 9 12:58:37:924612 2018) [[sssd[p11_child[6490]]]] [main] (0x2000): Running with effective IDs: [1000][1000].
(Fri Nov 9 12:58:37:924624 2018) [[sssd[p11_child[6490]]]] [main] (0x2000): Running with real IDs [1000][1000].
(Fri Nov 9 12:58:37:925728 2018) [[sssd[p11_child[6490]]]] [init_verification] (0x0040): X509_LOOKUP_load_file failed [185090184][error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found].
(Fri Nov 9 12:58:37:925742 2018) [[sssd[p11_child[6490]]]] [do_work] (0x0040): init_verification failed.
(Fri Nov 9 12:58:37:925753 2018) [[sssd[p11_child[6490]]]] [main] (0x0040): do_work failed.
(Fri Nov 9 12:58:37:925762 2018) [[sssd[p11_child[6490]]]] [main] (0x0020): p11_child failed!

but certutil sees it ok, after entering the pin:

$ certutil -L -d /etc/pki/nssdb/ -h user10

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "user10":
user10:Certificate for PIV Authentication                    u,u,u